One good way to fight bank email phishing is to send all your official bank email from servers whose forward confirmed reverse DNS resolves back to their domain name. For example, Wells Fargo Bank does it right. Everything that comes from Wells Fargo is sent by a host named * So if it matches that, it’s good and if it doesn’t — it’s spam. Same is true for PayPal, but not Bank of America. I have an email from them that is real, but the host name it came from is So as a spam filtering operation how am I supposed to know that is really Bank of America? Why can’t they send email from * servers like secure banks do?

But – I guess it doesn’t matter because they are getting bailout money so they can afford to subsidize the Russian mafia and make it up in higher credit card fees to honest people. But it’s clear to me that their IT department doesn’t give a f**k about fraud or security or they would at least take some minimal precautions to help people avoid getting ripped off.

  1. sargasso says:

    Imagine how bad it would be if you actually did have a bank account in Russia, Ukraine or Nigeria.

  2. Lou says:

    Glad I’m not with BOA. Now you know why the banking industry is screwed.

  3. Mark Derail says:

    Marc – I totally agree with you. This is a huge tech pet peeve of mine.

    Most likely BOA outsourced an email campaign, and then that company outsourced the sending.

    I’ve had to tone down the settings to accept if there is a valid PTR record only.

    I hate to remove the lookup on the HELO, yet, many large Co’s have set their HELO to be their internal machine name, kinda like “ntemail.thiscompany.local”, which doesn’t match the IP of the originator.

    The worst are the people that use grey listing w/o setting it up properly, causing lots of delays and large log files for nothing.
    Like grey listing by originating email address instead of by server/IP, use caching with a 30 day expiry.

  4. WmDE says:

    Curious. belongs to Conversen, a marketing company. Did the email have any actual account info in it?

    If not it is spam. Just spam from someone you know.

    Yield on BAC is 20%. At least it is currently.

  5. Paddy-O says:

    “So as a spam filtering operation how am I supposed to know that is really Bank of America?”

    So, what does an MX lookup reveal?

  6. Marc Perkel says:

    #4 – yes – the email knew what my credit limit was on the card I quit using several years ago so the third party had my available balance information. Something that I did NOT authorize BofA to give out.

    In fact the only reason I have any BofA relationship is that I used to have a card with MBNA and they got bought by BofA.

  7. Paddy-O says:

    Mark, reports the MX record: 3600

    Any decent anti-spam server s/w would have told you this. What s/w do you use?

  8. Marc Perkel says:


    I think you are missing the point. BofA email should come from IP addresses whose FCrDNS resolves back to a * host name. That way I can tell valid email 100% of the time.

    Forward confirmed RDNS can’t be spoofed. But BofA email can come from anywhere and I can’t determine if it’s real like I can with Wells Fargo or PayPal. I only had one email from a PayPal employee that came from a non-paypal server and I just told him, spam or not, that there was no fucking way that I’m passing email unless it comes from a server. And he backed down.

  9. Paddy-O says:

    #9 “# 9 Marc Perkel said, “I think you are missing the point. BofA email should come from IP addresses whose FCrDNS resolves back to a * host name.”

    I do understand. However, BofA didn’t originate the email (as far as I can tell) a mktg company did. Now, BofA shouldn’t have given them your data, but if I were BofA IT I wouldn’t allow another company to send email that references my servers…

  10. Marc Perkel says:

    The email was supposedly from BofA.

    From: “Bank of America”
    To: “Marc Perkel”
    Date: 27 Jan 2009 13:07:49 -0500
    Subject: Use your Platinum Plus(R) credit card today.
    Received: from ([])
    by with esmtp (Exim 4.69)
    id 1LRsMQ-0006cA-IQ on interface=
    for; Tue, 27 Jan 2009 10:08:47 -0800

  11. Paddy-O says:

    #11 Holy crap. resolves to

  12. Marc Perkel says:

    Yes Paddy-O – you see my point then?

  13. Mr. Fusion says:

    #13, Marc,

    I really am sorry, but, Cow-Paddy has this comprehension problem. Even worse, he thinks he knows what this is about. It doesn’t matter, he is going to suggest this is your fault.

  14. the real billybob says:

    Scank of America deserves to go down the tubes. They practice predatory lending on a daily basis.
    Oooooooo don’t get me started!

  15. AdmFubar says:

    everyone join a credit union…. enough said

  16. Paddy-O says:

    # 13 Marc Perkel said, “Yes Paddy-O – you see my point then?”

    Oh, yes.

  17. ran6110 says:

    Check it out!

    Bailout Recipients Hosted Call To Defeat Key Labor Bill

    “Three days after receiving $25 billion in federal bailout funds, Bank of America Corp. hosted a conference call with conservative activists and business officials to organize opposition to the U.S. labor community’s top legislative priority.”

  18. LtSiver says:

    Heh I agree Marc. Keep in mind this is also the bank that came up with that horribly stupid “SiteKey” feature… Which is totally susceptible to man in the middle if you’re not the bank of america website.

  19. Mr Diesel says:


    That is a great solution. MY bank has started charging me (on a free account) a monthly charge and I’m taking everything over to a credit union.

    Screw the banks.

  20. J Random says:

    As soon as you introduce third party email services you’re going to see cases where clue-impaired and sketchy operators can’t properly maintain DNS entries for each campaign.

    Have to wonder what your Authentication-Results: headers look like though. Did the message pass an SPF check? I can see that BofA created a record to delegate that to Conversen, but maybe Conversen screwed the pooch. Also, was any signing technology like DK/DKIM used, and did that verify?

    You ultimately have to make your own choices about what you’ll accept, and if you’ll only accept FCrDNS-checked messages then good luck. But BofA isn’t the only company you’ll have an issue with…

  21. tahos says:

    I think ther’s some confusion here about messages that are “spam” versus messages that are “phish.” There is a very important distinction: the definition of SPAM is pretty subjective. However the definition of phish is not. Which one are we talking about here?

    Marc seems like a smart enough guy that he took a look at the e-mail headers and figured out that an e-mail from bank of america came from a third-party sender. He seems to want all e-mail from bank of america to come from a machine that has a DNS record with something like in it. Sounds fair, but also difficult especially since it’s a fairly large company. Here’s another idea.

    How about if bank of america used some kind of tag on their messages to indicate they were legitimately from them?

    I took a look at some legit e-mail I got from Bank of America, the customer loyalty e-mail similar to what Marc received, and there are SPF records authorizing those for bank of america’s domains. So, they actually *have* done something to allow systems to validate e-mail from them. Some other e-mail I get from them has DKIM signatures on it, so I know they are working on that too.

    Maybe instead of switching banks, we should also go to our ISPs and spam vendors and ask them to start paying attention to the e-mail authentication protocols as well?

  22. Paddy-O says:

    # 18 ran6110 said, “Check it out! Bailout Recipients Hosted Call To Defeat Key Labor Bill”

    God! I read “the Employee Free Choice Act “. Amazing that they want to do away with secret balloting for Unions. How scary is that? Bunch of thugs.

  23. jjtr.internet says:

    is this a valid email account of boa

  24. lawyer says:


    Really Fantastic post, just found This blogpost feed from Digg upcomming New Story Section. Great post & Very usefull all of us.

    Keep it up!


Bad Behavior has blocked 11931 access attempts in the last 7 days.